The worm drops two files, named com.openbundle.plist and com.pwned.plist to the LaunchAgents directory to ensure that it will be launched automatically when the victim machine is rebooted. w0rm-support.tgz, which contains the worm components, is dropped to /Users/.

Once the operating system has been restarted, com.openbundle.plist unpacks the worm components and com.pwned.plist executes the worm main binary. Inqtana than attempts to replicate by scanning for devices which have Bluetooth enabled. It will then send itself to any devices found that support Object Exchange (OBEX) Push requests.

It was later discovered that Inqtana was written by the security researcher Kevin Finisterre, who created the worm as a proof of concept.

On 21 February, two zero-day exploits targeting MacOS X appeared, Exploit.OSX.Safari.a was discovered by Michael Lehn, and Exploit.OSX.ScriptEx.a. was discovered by Kevin Finisterre (the author of Inqtana). Both exploits received extensive coverage within the IT media.

Exploit.OSX.Safari is an exploit which targets Apple's web browser “Safari”. Due to a certain feature in Safari, it’s possible to create certain types of ZIP files which, when they are downloaded from the Internet, will result in code being executed. This vulnerability was patched in Apple Security Update 2006-001.

Exploit.OSX.ScriptEx.a is an exploit for a vulnerability in the Apple Mail application for Mac OS X. It is triggered if a specially-crafted attachment is sent via email. The vulnerability itself is a buffer overflow which can be triggered when the Real Name component of the MIME Encapsulated Macintosh file is parsed. A careful choice of Real Name size and content can lead to arbitrary code being executed, which can then be used to install a Trojan or other malware on the victim machine. It can also be used to take total control of the victim machine. This issue was fixed by the Apple Security Update 2006-002.

On 19 April, Tom Ferris, a security researcher, disclosed another six zero-day vulnerabilities which would enable a remote malicious user to crash or hijack the victim machine.

Conclusion

Overall, malware has evolved enormously over the last couple of years. In the past, most authors of malicious code were seeking a place in the headlines. Today, they are looking for financial gain. Apple’s small share of the global personal computer market has, until now, protected Macs from the unwanted attention of malware authors. However, as Apple systems become more popular, this will change; once critical mass is reached, more malware will undoubtedly start to appear. Even though malware like IM-Worm.OSX.Leap.a and Worm.OSX.Inqtana.A and exploits like Exploit.OSX.Safari.a and Exploit.OSX.Script-Ex were all proof of concept code, and had no obvious malicious payload, these proof of concept programs showed that Mac OS X does contain security flaws, and that these can be used to compromise the system.

Whether the proof of concept code covered in this article will be used for financial gain in the near future remains to be seen. History, however, shows that once vulnerabilties are identified, malware writers are never far behind.

Spotlight

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Learn about personal data bankruptcy and the cost of privacy, security and compliance, delivering digital security to a mobile world, and much more.

As ISPs, hosting providers and online enterprises around the world continue suffering the effects of DDoS attacks, often the discussions that follow are, “What is the best way to defend our networks and our customers against an attack?”

The code redirects visitors to another URL where the Fiesta exploit kit is hosted, which then tries to detect and exploit several vulnerabilities in various software. If it succeeds, the visitors are saddled with a banking Trojan.

Looking for an Android-based tablet for your child but don't know which one to choose? If you are concerned about the device's protection against random hackers, Bluebox Security has just released a review of the nine most popular Android tablet models aimed specifically at children.